Stormshield Network Firewall RELEASE NOTE V1 · Stormshield Network Firewall RELEASE NOTE V1...

RELEASE NOTE V1

/24 12-11-2014 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014

Stormshield Network Firewall

RELEASE NOTE V1

Upgrade

Lowest version required: Stormshield Network 1.x and NETASQ 9.1.x

Hardware compatibility:

SN150, SN200, SN300, SN500, SN700, SN900, SN2000, SN3000 and SN6000

NETASQ U30S, U70S, U150S, U250S, U500S, U800S, NG1000-A and NG5000-A

Stormshield Network and NETASQ Virtual Appliances

NOTE

Before any upgrade, you are strongly advised to read the chapter on Explanations on

usage carefully and to back up the configuration.

Highlights

Features covered Level of modification

SSL VPN → Major

IPv6 support → Major

Activity Report – Log → Major

Network interfaces → Major

Intrusion prevention engine → Major

Cloud backup → Minor

“Guest” authentication → Minor

HTTP proxy → Minor

RELEASE NOTE V1

/24 snenrno_firewall-version-1.2.0 - Copyright Netasq 2014

Version

This release note contains the description of the main modifications made to the various

versions of the same major version. You are advised to apply the latest version in order to

benefit from the most recent developments and bug fixes.

Managing the life cycle of versions

According to the terms of the document Product Life Cycle Stormshield Network Security,

the maintenance of firmware versions of the 1.x branch is guaranteed up to 03/07/2015. In

the absence of a more recent version, support will be provided for this version and version

1.0.0.

Precautions before a migration

The NSRPC binary (Windows executable) allows logging on remotely to firewalls and

executing CLI commands sequentially. Since version 1.0, communications have been

authenticated via HMAC-SHA2, so the NSRPC client must be upgraded. This can be done in

the client and partner areas.

Dynamic objects

In versions of Netasq firmware lower than 9.0.6, configurations may contain dynamic

objects with an IP address equal to 0.0.0.0. Such values could cause conflicts during the

ASQ engine’s processing, so you are advised to look for such objects and replace the value

0.0.0.0 with a valid IP address before the migration.

ARP entries

If the configuration of the number of ARP entries had been customized (MaxEntries field in

the file ConfigFiles / arp), it will be reinitialized during a migration operation. This number

will need to be customized again when the version is changed (MaxARPEntries and

MaxNDPEntries fields in the file ConfigFiles / ether).

1.2.0 Features Resolved vulnerabilities Bug fixes

Known issues

1.1.3 Bug fixes

1.1.2 Features

1.1.1 Bug fixes

1.1.0 Features Resolved vulnerabilities

1.0.0 Features

Explanations on usage

RELEASE NOTE V1


1.2.0 Features

Intrusion prevention Support reference 47619

The intrusion prevention engine recognizes and analyzes both of the new encryption suites

(ChaCha20 and Poly1305) embedded in Google servers (*.google.*) and recent versions of

the Chrome browser.

Two additional types of Microsoft RPC (DCE/RPC) traffic are analyzed by the intrusion

prevention engine (Protocols module). These are the Microsoft Exchange EMSMDB interface

and the Microsoft Exchange Async EMSMDB interface.

System

Firewalls can now log on to external LDAP directories using a posixGroup schema (users are

saved with their user names instead of their DNs [Distinguished Name]). The LDAP directory

can only be chosen via CLI commands for the moment.

On SN6000 high-end models, the LCD screen successively displays a set of information

relating to the system or to certain features when they are enabled: the firewall’s name or

serial number, the firmware version of the main partition, high availability status (HA), RAID

status, and IP address of the IPMI (Intelligent Platform Management Interface).

Web administration interface

In order to strengthen the security of connections to the web administration interface, the

encryption suites based on the hash algorithm SHA1 are no longer authorized. Only the

suites based on SHA2 can now be used. As a result, for some older versions of web

browsers (e.g.: Microsoft Internet Explorer v9), the TLS v1.2 protocol must be enabled.

Dashboard

The statuses of disks and any RAID volumes (high-end SN3000 and SN6000 firewalls) as

well as power supply modules (high-end SN3000 and SN6000 firewalls) are now displayed

in the Hardware window on the Dashboard.

Web objects

Comments can now be added to each element belonging to a customized URL category, or

to a customized category of certificate names.

Application inspections: FTP

An option now allows restricting the use of the FTP protocol to certain user accounts, by

defining a list of authorized users and/or list of blocked users. This option is available from

the FTP users tab in the FTP Protocol module.

RELEASE NOTE V1


SSL VPN tunnel

The listening port of the SSL VPN tunnel server can now be configured (the default value

suggested remains port TCP/443). Do note that certain reserved ports (e.g.: http_proxy)

cannot be used.

Authentication portal

Users authenticated via the firewall’s portal can now log off from this portal without having

to re-enter their logins and passwords, thanks to the authentication cookie.

Virtual firewalls

The Ethernet network pilot on Stormshield Network virtual firewalls (vmx) has been

updated, thereby allowing them to reach throughputs of up to 10Gb/s.

Stormshield Network Real-Time Monitor

The statuses of internal disks and any RAID volumes (high-end SN3000 and SN6000

firewalls) as well as power supply modules (high-end SN3000 and SN6000 firewalls) are

now displayed in the Hardware module in SN Real-Time Monitor.

1.2.0 Resolved vulnerabilities

SSL and TLS security flaw

Vulnerabilities that can cause Man in the Middle (MITM) attacks or Denials of Service have

been resolved following the upgrade of the OpenSSL cryptographic library to version 1.0.1j.

The list of these vulnerabilities is as follows:

- SRTP Memory Leak (CVE-2014-3513),

- Session Ticket Memory Leak (CVE-2014-3567),

- SSL 3.0 Fallback,

- Build option no-ssl3 is incomplete (CVE-2014-3568).

FreeBSD security flaw

A vulnerability regarding TCP packet treatment (FreeBSD-SA-14:19 – Denial of service in the

treatment of TCP packets) has been resolved by the application of a FreeBSD security fix.

http://www.openssl.org/news/secadv_20141015.txt



https://www.freebsd.org/security/advisories/FreeBSD-SA-14:19.tcp.asc

RELEASE NOTE V1


1.2.0 Bug Fixes

Intrusion prevention

Support reference 47370

The use of the SIP protocol within a NAT rule specifying the destination port would generate

an anomaly in address translation for the Contact field. This malfunction has been fixed.


In the contact field of a SIP packet going through the firewall, the presence of commas

within a character string may be incorrectly interpreted by the intrusion prevention engine,

thereby preventing the telephone from being saved on a SIP server. This anomaly has been

fixed.


Traffic from WAN optimization tools developed by Riverbed Technology going through a filter

rule defined in firewall mode could prevent the intrusion prevention engine from running

correctly due to the specific TCP syntax used by these appliances. This issue has been

resolved.

System

Support reference 48124 - 48316

When a connection to a firewall is made through a PPTP tunnel which was interrupted then

set up again, certain network packets may be re-sent continuously, potentially causing the

firewall to freeze. This issue has been fixed.


Whenever the language configuration file contained an empty or invalid Keyboard field, the

menu System > Configuration may no longer be accessible and cause a disconnection from

the administration interface. This issue has been resolved.

File system Support reference 48267

The firewall could potentially write data on the disk sector bearing the label of a partition.

This partition would then be detected by the system as corrupted and irreparable. This

issue has been resolved with the adoption of the UFS (Unix File System) disk partitioning

system.

Interfaces Support reference 47595

The modem creation wizard selected by default the type of connection “if there is traffic (on

demand)”, which could cause the modem to malfunction. This reaction has been modified,

and the “permanent” connection type is now the predefined choice.

RELEASE NOTE V1


DHCP Support reference 47494

On a firewall that already has a DHCP address range associated with a gateway, a second

routed DHCP range could not be created. This anomaly has been fixed.


In configurations containing a DHCP address range as well as a static route on the same

protected interface, the DHCP server could potentially stop adhering to the address range

for this interface, thereby distributing unadapted IP addresses. This issue has been

resolved.


For configurations containing a very large number of DHCP reservations, the configuration

file generated could not be fully read by the DHCP server, which may then fail to restart

correctly. This anomaly has been fixed.


When remote clients were connected via PPTP, the DHCP server could no longer be started

as it would then attempt to listen to DHCP requests on the virtual interface dedicated to

these PPTP tunnels. This issue has been resolved.

Authentication Support reference 47667

When an authentication rule contained several methods including authentication via SSO

Agent, the method listed just after it could potentially stop being applied, therefore causing

authentication problems. This issue has been resolved.

Filtering and NAT Support reference 44621

In certain configurations of filter rules (routing on a gateway other than the default gateway,

the use of automatic protocol detection and value of the protocol field forced to “TCP”),

packets sent by the firewall could bear a wrong source IP address (address of the interface

connected to the default gateway). This issue has been resolved.

Policy Based Routing Support reference 45689 - 47089 - 47940 - 48173

When gateways are specified in filter rules (Policy Based Routing), their availability is

systematically tested by a monitoring mechanism (ICMP echo request message). In

configurations that use two (or more) dialup gateways on a single ISP (internet service

provider), the ISP would present the same remote IP address for both appliances, which

was incompatible with the gateway monitoring mechanism. This issue has been resolved.

Some environments do not allow pings to internet access gateways (dialup). During the

implementation of routing to dialup gateways in filter rules (PBR: Policy Based Routing), the

availability monitoring mechanism could wrongly consider these gateways as unreachable.

This detection mechanism has been enhanced in order to fix this issue.

Logs Support reference 47528

Following the migration of a configuration from v9.1.x to v1.1.0 with log file rotation enabled

(menu Configuration > Notifications > Logs – syslog), only the oldest file in each log

category was deleted. As the size of these files could reach 20M in version 1.x (as opposed

to only 5M in version 9.1.x), the partition reserved for the storage of these files could then

RELEASE NOTE V1


become saturated. The method for calculating the disk space needed for each log category

has been reviewed in order to fix this problem.

SSL Proxy

The use of the SSL proxy on SN150 Firewalls could potentially prevent or alter the display of

HTTPS pages. This issue has been resolved.

Software update via USB key Support reference 47636 - 47637

In the context of an upgrade via USB key, the firewall would reboot before installing the

firmware version downloaded from the key. If the USB key was still plugged in after this

reboot, the firewall would detect it again and attempt to download this upgrade a second

time. In order to allow the USB key to be ejected and therefore prevent the installation of an

identical upgrade, this reboot has been replaced by a shutdown. The installation will

eventually be preceded again by a simple reboot and this issue has been resolved by the

detection of the upgrade version on the key.


Software updates

When a firmware upgrade was indicated as unavailable in the System update tab in the

Maintenance module, the download link could fail to work. This anomaly has been fixed.

Support reference 47384 - 47630

During a search for firmware upgrades, a message indicating “No information available”

could mistakenly appear. This issue has been resolved.

Routing Support reference 47344

When adding a static route using the IPSec VPN interface, an error message would indicate

that this interface could not be found. This anomaly has been fixed.

LDAP directory Support reference 45863

When the Organization field in the LDAP directory contained square brackets “[ ]”, users in

the directory were not visible in the Users menu on the firewall. This issue has been

resolved.

Filtering and NAT Support reference 46722

Filter rules that use proxies (through a URL inspection for example), and a destination port

combined with a comparison operator (!=, > or <), could wrongly be indicated as invalid.

This anomaly has been fixed.


The use of groups containing more than 256 objects in a filter rule would generate warning

messages when the filter policy is loaded, and the storage of these messages could cause

the partition dedicated to logs to fill up. This behavior has been corrected.

RELEASE NOTE V1


PKI and certificates Support reference 45436

The creation of a certificate for a user with an e-mail address identical to that of a user

already configured on the firewall would cause an error message to appear, displaying the

password of the associated CA. This anomaly has been fixed.

Objects Support reference 47594 - 47714

When an empty group was created on a firewall using only IPv4 addressing, this group

could not be displayed (list of network objects) or selected in the administration interface

(in a filter rule, for example). This anomaly has been fixed.

User Access Control (UAC) Support reference 47364

Following the migration of a configuration containing VPN access privilege rules from v9.x to

v1.1.0, these privileges could no longer be modified. This issue has been resolved.

IPSec VPN Support reference 47563

The wizard for creating an IPSec Mobile – Config mode policy did not allow the use of the

“all” object in the Local network field. This behavior has been modified.

Notifications Support reference 47449

In the settings of the SMTP server that sends e-mail notifications, the DNS domain field

offered the value netasq.com by default. This field is now left empty.


The e-mail template used for sending alarm reports has been modified.

SSL VPN tunnel Support reference 47500

During the installation of the Stormshield Network SSL VPN Client software, the associated

Windows service (Stormshield SSL VPN Service) was configured in manual startup mode.

This service is now installed in automatic startup mode.


Users with passwords that contain the character “%” were unable to log on through the

Stormshield Network SSL VPN Client. This anomaly has been fixed.


The installation of the Stormshield Network SSL VPN Client by a standard user via the

privilege elevation option (“Run as administrator”) failed with the message “the folder does

not exist”. This issue has been resolved.


When an error arose during the installation of the Stormshield SSL VPN Client, this

application could then no longer be uninstalled correctly. This issue has been fixed.

RELEASE NOTE V1


VMWare virtualization Support reference 47281

The virtual disk (vmdk file) included in the disk images on firewalls (ova format) presented

compatibility issues with the latest upgrades of the VMware ESXi virtualization software

(versions 5.0 and 5.1 only). This issue has been resolved and new disk images have been

published in your secure area.

Stormshield Network SSO Agent

During a quick change of an authenticated user’s connection type (e.g.: the end of a wire

connection relayed immediately by a wireless connection), the SN SSO Agent could

consider the user as logged off. This behavior has been corrected.

Stormshield Network Real-Time Monitor Support reference 47504 - 47311

Adding a firewall to an empty address book made this address book inaccessible in SN

Real-Time Monitor, and would cause the following message to display: “The address book

cannot be opened. File does not exist or you don’t have the appropriate access rights”. This

issue has been resolved.

Stormshield Network Administration Suite Support reference 47505

The Stormshield Network Administration Suite installation wizard offered the wrong URL for

product registration. This anomaly has been fixed.


The contact e-mail address and link to the Stormshield website have been modified in the

welcome screens on SN Administration Suite applications (SN Real-Time Monitor, SN

Unified Manager and SN Event Reporter).

Stormshield Network Unified Manager Support reference 47508

In the SN Unified Manager welcome menu, the description of the option allowing the user to

quit the application was truncated. This display flaw has been fixed.


The option for importing an address book has been deleted from the File menu in the

Stormshield Network Unified Manager application.

RELEASE NOTE V1



The pop-up menu that allows adding external tools did not function for appliances other

than firewalls (servers, workstations, etc.). This issue has been resolved.

Known issues

Intrusion prevention Support reference 45406

In the configurations of filter rules combining address translation and inspection in

“firewall” or “IDS” mode, connections using a protocol that requires packets to be rewritten

(FTP for example) can be altered. As such, TCP packets presenting a sequence number

outside the expected TCP window will stop the protocol scan (plugin attached due to the

type of protocol). As the TCP window rewrites packets, interrupting it will therefore distort

the associated NAT.

System

A vulnerability has been detected on the firewall’s FTP client. For it to be exploited, the FTP

client would need to execute FTP commands that redirect to malicious HTTP URLs by leaving

out the output file (“-o” FTP option). E.g.: ftp http://server/path/file.txt.

In its native state, this flaw cannot be exploited as the firewall never uses this FTP client for

file transfers. However, to prevent any risk of the exploitation of this vulnerability, you are

advised against executing scripts that would implement this FTP client on the firewall.

Interfaces

The connection type “if there is traffic (on demand)”, prevented a modem from operating

correctly. Therefore, during the creation of a modem in the wizard, the “permanent”

connection option is now selected by default.

On U30S and SN200 models, several VLANs can now be created within a bridge via the web

administration interface. However, you are strongly advised against performing this

operation which is not supported as it can lead to flaws in the transmission of responses to

ARP requests received on these VLANs to the other interfaces of the bridge.

RELEASE NOTE V1


1.1.3 Bug fixes

System Support reference 47633 - 47635

The automated procedure for updating a firewall by booting on a USB key is once again

operational.

Network Support reference 47548

The implementation of a VLAN on models in the higher end of the Stormshield Network

firewall range (SN2000, SN3000 and SN6000) did not function properly. This issue has

been fixed.


A problem with the calculation of the TCP sequence number when rewriting data could

potentially cause the firewall to freeze. This anomaly has been fixed.

1.1.2 Features

Support for high-range models

Version 1.1.2 is now compatible with the whole range of Stormshield Network firewalls, in

particular the high-range model SN6000.

1.1.1 Bug fixes

System

If the option Enable log storage had been disabled, it would not have been possible to

reactivate it subsequently. This problem was due to a detection error on the partition

hosting the logs. This anomaly has been fixed.

Network

VLANs attached to a single interface (VLAN endpoint) could no longer be created or

modified from the web administration interface in version 1. Indeed, interfaces could not be

selected, thereby preventing the modification of this parameter for an existing VLAN or the

validation of the creation of a VLAN through the wizard. This issue has been fixed.

RELEASE NOTE V1


1.1.0 Features

Support for high-range models

Version 1.1.0 now provides support for high-range models of Stormshield Network firewalls

SN2000 and SN3000.

Global Administration

Deployment

For firewalls on which high availability has been enabled, wizards for object deployment

and the filter policy now offer an option that allows synchronizing the members of the

cluster at the end of the deployment.

1.1.0 Resolved vulnerabilities

SSL and TLS security flaw

A vulnerability that could cause a Man-in-the-middle (MITM) attack has been patched with

the upgrade of the OpenSSL cryptographic library in version 1.0.1h. This protects the user

from potential complex attacks during TLS negotiation (CVE-2014-0224).

1.1.0 Bug fixes


Dashboard Support reference 43992

For firewalls with redundant disks, the status of the RAID volume was not correctly

displayed in the Hardware window in the Dashboard module (“no RAID available” message).

This anomaly has since been fixed, and the properties of each disk belonging to a RAID

cluster are displayed (identification of the disk, occupation of RAID volume and status of

the disk).

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224

RELEASE NOTE V1


1.0.0 Features

SSL VPN

SSL VPN allows remote users to safely access the company’s internal resources: shared

networks, databases, applications, intranet, etc. All communications between the remote

user and the central site will then be encapsulated and protected through a tunnel

encrypted in SSL. This solution therefore guarantees authentication, confidentiality,

integrity and non-repudiation.

From the client’s point of view, the way the SSL VPN works is similar to how an IPSec VPN

client works in XAUTH mode, but has the advantage of a simplified configuration.

Furthermore, it uses only TCP port 443, and therefore offers easy access from networks that

filter internet access (hotels, public WiFi, 3G connection, etc.).

This operating mode based on Open VPN open source technology (OpenVPN is licensed

under GPL version 2) makes it accessible on any type of terminal (Windows, IOS, Android,

etc.) through the SSL VPN client or an OpenVPN client, which has become a necessity in

BYOD (Bring Your Own Device) environments.

Network traffic that goes through an SSL VPN tunnel also benefits from advanced firewall

features such as authentication, URL filtering and intrusion prevention

IPv6 support

Support for IPv6, offered in this new version, enables firewalls to be integrated into IPv4

and/or IPv6 infrastructures. Networking features (interfaces and routing), filtering, VPN and

Administration are compatible with IPv6. This support is optional and can be enabled in the

Configuration module.

The web administration interface can then be accessed whether in IPv6 or IPv4 as the

firewall’s network interfaces can only have a static IPv6 address or an address as a

complement to an IPv4 address (double stack). Moreover, static routes and gateways can

now be entered in IPv6.

The SLAAC (StateLess Address AutoConfiguration) mechanism has been implemented on

the firewall in order to manage Router Advertisements (RA), which allow the automatic

configuration of hosts on the network by distributing the IPv6 prefixes to use. These

advertisements also allow communicating DNS parameters (RDNSS support - RFC 6106)

and defining the firewall as the default gateway. The firewall’s DHCPv6 relay or server

service may complement this mechanism in order to obtain, for example, the reservation of

addresses in IPv6.

RELEASE NOTE V1


Network objects (hosts, networks and IP address ranges) may be addressed in IPv6, or in a

hybrid of versions. Filter policies can therefore be applied to IPv6 objects and can use

security inspection (customizable inspection profiles). However, application inspection

features (Antivirus, Antispam and URL, SMTP, FTP and SSL filtering) are not available in this

version. Likewise, network address translation (NAT) cannot be performed on IPv6 objects.

NOTE

For interfaces addressed in IPv6 and which belong in a bridge, in Advanced properties,

the option for routing without an IPv6 protocol scan must be unselected, in order to

authorize filtering on traffic.

IPSec tunnels are also compatible with IPv6. Tunnels can therefore be set up between two

IPv6 endpoints and allow IPv4 or IPv6 traffic to go through. Conversely, IPv6 traffic can also

go through IPv4 IPSec tunnels.

Built-in Bird dynamic routing is also compatible with IPv6.

Activity reports

Logs

Activity reports now allow you to monitor and use logs generated by appliances and stored

locally. It is now easier to browse them in views by alarms, connection, web logs, etc.

Filtering criteria available in advanced search mode allow a detailed analysis of logs.

Activity reports

In the Vulnerabilities category, 3 new "Top 10" reports display vulnerabilities with a Client or

Server target, as well as a report on the most vulnerable applications.

Collaborative security

For more collaborative security, based on vulnerability reports generated by Vulnerability

Manager, the level of protection on a machine identified as vulnerable can now be raised in

just a single click. As such, when critical vulnerabilities are detected, you will now be able to

add affected machines to a group created earlier, and to assign a strengthened protection

profile or specific filter rules to it (quarantine zones, restricted access, etc.).

RELEASE NOTE V1


Network

Link aggregation – NG models

For the purposes of performance and the availability of physical links, the new version

introduces the LACP (Link Aggregation Control Protocol) feature. Therefore, the physical

ports of several appliances can be grouped together to be considered a single interface with

the aim of increasing throughput by load balancing or to be used as a relay in the event of a

failure (redundancy). This feature is only available on SN2000, SN3000, SN6000, NG1000

and NG5000 models.

DHCP through IPSec VPN

Local users can now benefit from the automatic configuration of the IP parameters of a

remote DHCP server through an IPSec tunnel. To do this, the parameter “IP address used to

relay DHCP queries” in the DHCP relay options must be entered and the IPSec interface in

the listening interfaces must be selected.

TCP-MD5 support for BIRD

Support for TCP-MD5 authentication in BIRD dynamic routing allows protecting BGP

sessions through the authentication of frames in the TCP header (RFC2385).


“FastPath” mode

For rules with inspection in “firewall” mode, traffic has been optimized and throughput

multiplied. This enhancement has been applied to IPv4 traffic, without NAT and without

scans that open dynamic connections (e.g.: FTP). This mode is recommended if traffic is

dedicated to data backups or replication or for access to a main firewall’s satellite VPN sites

if this firewall already scans traffic.

Multi-context signatures

This version applies a significant enhancement of the intrusion prevention engine. To

counter complex attacks, the IPS engine is now able to correlate signatures in different

contexts. Anti-evasion protection mechanisms have also been strengthened.

MS-RPC scan

In order to secure Microsoft RPC traffic, based on the DCE/RPC standard, this standard will

be fully scanned. A new entry in the Protocol module offers to authorize or reject traffic

using this protocol, described in detail by the Microsoft service (Microsoft Exchange, for

example). A tooltip will show the UUID (Universal Unique Identifier) of each service when

you roll your mouse over its name. A blacklist allows unreferenced services to be blocked

by entering their UUIDs.

RELEASE NOTE V1


EPMAP scan and NetBios CIFS and NetBios SSN inspections

As the DCE/RPC protocol can be integrated into NetBios CIFS and NetBios SSN protocols, a

new option allows you to inspect it. The options for the EPMAP protocol, which is used to

relay access to services, allow restricting relays. Dynamic connections can also be opened

on EPMAP (portmapper).

MAC addresses

Source MAC addresses are now notified in all connection logs for machines that belong to

the same network.

Authorized Google services and accounts

An option enables the restriction of access to services and accounts provided by Google.

By entering the domains with which your company is registered with Google Apps, as well

as any secondary domains, access to Google services will be restricted to these authorized

domains. This option is available via the HTTP protocol module.

Cloud backup

The “Cloud backup” option is a service range that allows securely performing regular

backups of your firewall’s configuration. These backups can be stored on a local server, a

server hosted by a partner or within the Cloud backup Service infrastructure.

Authentication

Guest method

This mode allows identification without authentication for access to a public WiFi network,

for example. By default, this method enables the display of the conditions of use for

internet access, which can be customized in the Captive portal tab. When these “guest”

users log in, it will be recorded in the logs with the addition of the source MAC addresses.

HTTP proxy

HTTP protocol

An option makes it possible to allow or deny the use of the IP address as a URL, meaning

accessing to a site via the user’s IP address instead of his domain name. Indeed, using the

URL in this way may bypass the URL filter. As this block is applied after the evaluation of the

filter rules, an internal server can still be contacted through its IP address, if its access is

explicitly authorized in the filter policy.

HTTP proxy cache

Thanks to the HTTP proxy cache’s storage of resources in memory, web browsing

performance can be enhanced in low-bandwidth internet links or for access to a limited

RELEASE NOTE V1


number of websites. Users therefore benefit from optimized response times when visiting

websites, and bandwidth is saved as well.

NOTE

This feature is available only on models that have a hard disk.

It applies to HTTP(S) traffic in the filter policy, as a security inspection option. The tracking of

resources stored in memory and the management of the cache can be viewed in Realtime

Monitor (dashboard).

Explicit HTTP proxy

To enable a policy on a firewall hosted in the cloud to be similar to a policy on a physical

appliance, the listening port on an explicit HTTP proxy can now be configured in the filter

policy (destination port). This may therefore be different from the default port (8080/TCP).

For more information on how to create a policy in this mode, please refer to the Technical

Note “Hybrid mode Cloud Firewall - Appliance”.


Filtering and NAT

Single window for editing rules

To facilitate the entry of the various parameters of a NAT or filter rule, a single window opens

when you double-click on the rule. This window will then allow you to edit the various

parameters offered in each column.

Statistics on the use of rules

In the active policy, each enabled filter and NAT rule displays a use counter. When you roll

the mouse over the icon, a tooltip will indicate the exact number of times this rule was

executed. The 4 levels of use correspond to the values 0, 0 – 2, 2 – 20 and 20 – 100% of the

total use of the rule that has been used the most. To obtain a new indicator, a button

“Reinitialize rule statistics” will start a new count.

Comments

Comments relating to new rules indicate the date the rule was created and the user who

created it if it was not the “admin” account.

Dashboard: Properties

An entry now informs you of any new firmware upgrade available. The version number

displayed contains a link that allows downloading the upgrade file. To install it, go to the

Maintenance module, in the System update tab.

RELEASE NOTE V1


Real Time Monitor

SSL VPN

The VPN tunnels module now differentiates tunnels set up via IPSec VPN and via SSL VPN in

two separate tabs. The new tab SSL VPN tunnels logs communications between the remote

user and the central site through SSL VPN tunnels. Available information includes the user

name, his original IP and VPN IP addresses, duration, amount of data sent and received and

the port used.

HTTP proxy cache

The storage of resources in memory may improve web browsing performance for low-

bandwidth internet links or for access to a limited number of websites.

Resources stored in memory can be tracked and managed in the Dashboard, in the form of

3 diagrams. Two of them indicate the percentage of data stored in memory according to the

total number of requests and their total weight, and the third presents memory use.

Collaborative security

In the Events, Hosts and Vulnerability management modules, it is now possible to save in

the Network objects database a host displayed in the table and add it to a group. As such,

when critical vulnerabilities are detected, you will now be able to assign a strengthened

protection profile or specific filter rules to these hosts (quarantine zones, restricted access,

etc.).

Diagrams

All the diagrams embedded in the various modules of the interface present a new graph.

RELEASE NOTE V1


Explanations on usage

IPv6 support

In version 1.0, the following are the main features that will not be available for IPv6 traffic:

- IPv6 address translation (NATv6),

- Application inspections (Antivirus, Antispam, HTTP cache, URL filtering, SMTP filtering,

FTP filtering, SSL filtering),

- Use of the explicit proxy,

- DNS cache,

- SSL VPN tunnel portal,

- SSL VPN tunnels,

- Authentication via Radius or Kerberos,

- Vulnerability management.

High availability

In the event the firewall is in high availability and IPv6 has been enabled on it, the MAC

addresses of interfaces in IPv6 (other than those in the HA link) must be defined in

advanced configuration. Indeed, as local IPv6 link addresses are derived from the MAC

address, these addresses are different, causing routing issues during a switch.

Migration

Interfaces

When an original configuration does not contain all the expected Ethernet interfaces due to

a manual deletion in the network configuration file, these interfaces will be recreated in the

target configuration during migration. During this operation, the names of the recreated

interfaces will be their original names (e.g.: Ethernet2), but the administration interface

would not recognize them as valid. This issue may be resolved by modifying the name of

the interface concerned (e.g.: dmz1 instead of Ethernet2).

System

The version 9.2 upgrade of the FreeBSD system contains a vulnerability known for its

inability to support the latest version of NTP (CVE-2013-5211). This vulnerability however

cannot be exploited on the firewall as the configuration is secured by default.

Software update

After adopting the UFS (Unix File System) partitioning system from version 1.2.0, the

upgrade tool on the administration interface did not allow backtracking to a 1.1.x or older

firmware version on a firewall in version 1.2.0. To perform this operation, only a restoration

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211

RELEASE NOTE V1


of the firewall via USB key is possible. This procedure is described in the Technical Note

“Software restoration by USB key” available in your secure area.

Furthermore, backtracking to a major firmware version older than the current version of the

firewall requires a prior reset of the firewall to factory settings (defaultconfig). Therefore for

example, this operation is necessary for migrating a firewall from a 1.x version to a 9.1.x

version.

Configuration Support reference 31201

The NTP client on firewalls supports synchronization only with servers using version 4 of

the protocol.

Backup restoration

If a configuration has been backed up on a firewall whose system version is lower than the

current version, this configuration cannot therefore be restored. For example, a

configuration backed up in version 1.2.0 cannot be restored if the current version of the

firewall is la 1.1.3.

Dynamic objects

Network objects with automatic (dynamic) DNS resolution, for which the DNS server offers

round-robin load balancing, cause the configuration of modules to be reloaded only if the

current address is no longer present in responses.

Watchdog

SN150 models do not have the hardware watchdog feature.

Activity Reports

Reports are generated based on logs saved by the firewall, which are generated when

connections are shut down. As a result, connections that remain active (e.g. IPSec tunnel

with translation) will not be shown in the statistics displayed by Activity Reports.

Logs generated by the firewall depend on the type of traffic as objects may not be named in

the same way (srcname and dstname). To avoid having multiple representations of the

same object in reports, you are advised to give the object created in the firewall’s database

the same name as the one associated via DNS resolution.


HTML analysis

The rewritten html code is not compatible with all web services (apt-get, Active Update) as

the “Content-Length” header has been deleted.

RELEASE NOTE V1


Instant messaging

NAT is not supported on instant messaging protocols.

Preserve initial routing Support reference 35960

The option that allows preserving the initial routing on an interface is not compatible with

features for which the ASQ engine has to create packets:

- Reinitialization of connections during the detection of a blocking alarm (sending a

RESET packet),

- SYN proxy protection,

- The detection of the protocol by plugins (filter rules without a specified protocol),

- Rewriting of data by certain plugins such as web 2.0, FTP with NAT, SIP with NAT and

SMTP.

NAT Support reference 29286

Status management for the GRE protocol is based on source and destination addresses.

Two connections to the same server at the same time, either with the same client or sharing

a common source address, therefore cannot be differentiated (when "map" is used).

H323 support

The H323 protocol's support for address translation operations is rudimentary, in particular:

it does not support NAT bypass by gatekeepers (announcement of any address other than

the connection's source and destination).

Proxies

SSL proxy Support reference 31308

The SSL (Secure Sockets Layer) protocol, which became Transport Layer Security (TLS) in

2001, is supported in version 3 (1996). Sites that use an older version (which may present

security flaws) or that do not support the start of a negotiation in TLS will be blocked.

Internet Explorer in version 7 or 8 does not enable by default, support for the protocol TLS

1.0. For security reasons, you are advised to enable TLS 1.0 support via an Active Directory

object that defines host configurations (group policy object or GPO).

FTP proxy Support reference 35328

If the option “Keep original source IP address” has been enabled on the FTP proxy, reloading

the filter policy causes disruptions to FTP transfers in progress (both uploads and

downloads).

RELEASE NOTE V1


Filtering

Outgoing interface

If a filter rule specifies an outgoing interface included in a bridge which is not the first

interface of this bridge, it will not be executed.

Multi-user filtering

It is possible to allow multi-user authentication for a network object (several users

authenticated on the same IP address) by entering the object in the list of Multi-user

Objects (Authentication > Authentication policy).

Filter rules with a user@object source type (except any or unknown@object), and with a

protocol other than HTTP, do not apply to this object category. This behavior is inherent in

the packet treatment mechanism used by the intrusion prevention engine.

The explicit message that warns the administrator of this restriction is: “This rule cannot

identify users who are logged on to a multi-user object”.

URL filtering Support reference 31715

Filtering by authenticated users cannot be carried out within the same URL filter policy.

However, it is possible to apply particular filter rules (application inspection) for each user.

Network

On the SN150 models, configurations containing several VLANs in a bridge are not

supported.

IPsec VPN

PKI

The presence of a certificate revocation list (CRL) is not required. If no CRL has been found

for the certificate authority (CA), the negotiation will be allowed.

DPD (Dead Peer Detection) Support reference 37332

The VPN feature known as DPD (Dead Peer Detection) allows checking whether a peer is still

operational by sending availability test requests.

If a firewall is the responder in an IPSec negotiation in main mode and has set DPD to

“inactive”, this parameter will be forced to “passive” in order to keep up with the peer’s DPD

demands. Indeed, during this IPSec negotiation, DPD is negotiated before identifying the

peer, and therefore before knowing whether DPD requests can be ignored for this peer.

This parameter is not modified when the firewall is the initiator of the negotiation or in

aggressive mode as in this case DPD is negotiated when the peer has already been

identified.

RELEASE NOTE V1


IPv6 keepalive

For site-to-site IPSec tunnels, the additional keepalive option, which allows artificially

maintaining these tunnels, cannot be used with traffic endpoints with IPv6 addresses. For

traffic endpoints configured in double stack (IPv4 and IPv6 addresses), only IPv4 traffic will

have the use of this feature.

Authentication

SSO Agent

The SSO Agent authentication method is based on authentication events collected by

Windows domain controllers. As these do not indicate the source of the traffic, the

authentication policy cannot be specified with interfaces.


The SSO agent does not handle user names containing the following special characters: "

<tab> & ~ | = * < > ! ( ) \ $ % ? ' ` @ <space>. The firewall therefore will not receive

notifications of connections and disconnections relating to these users.

CONNECT method

Multi-user authentication on the same host in cookie mode does not support the CONNECT

method (HTTP). This method is generally used with an explicit proxy for HTTP connections.

For this type of authentication, the use of “transparent” mode is recommended. For further

information, please refer to the online help at documentation.netasq.com, chapter

Authentication.

Conditions of use

The Conditions of use for Internet access on the captive portal may not display correctly in

Internet Explorer v9 with IE Explorer 7 compatibility mode.

Users

The creation of several users with the same login is allowed, but is not compatible with user

authentication.

Spaces in user logins are not supported.

Logging off

An authentication session can only be logged off using the same method used during

authentication. For example, if a user had authenticated using the SSO agent method, he

will not be able to log off through the authentication portal, as the user will need to provide a

cookie in order to log off, which does not exist in this case.

http://documentation.netasq.com/

RELEASE NOTE V1


High availability

Interaction of H.A. in bridge mode and switches

In an environment with a firewall cluster configured in bridge mode, it has been observed

that the traffic switchover took about 10 seconds. This duration is related to the switchover

time of 1 second, to which the time taken for switches to relearn MAC addresses will be

added.

Routing by policy

The connection router ID is not transferred to the passive firewall. As a result, a session

routed by the filter policy may be lost when the cluster switches.

Models

High availability based on a cluster of firewalls in different models is not supported.

Furthermore, a cluster with one firewall using 32-bit firmware and the other using 64-bit

firmware is not allowed.

Vulnerability manager Support reference 28665

The application inventory carried out by Vulnerability Manager is based on the IP address of

the host that initiates traffic in order to index applications.

For hosts that have an IP address shared by several users, for example an HTTP proxy, a TSE

server or even a router that performs dynamic NAT on the source may cause a significant

load on the module. You are therefore advised to place the addresses of these hosts in an

exclusion list (unsupervised elements).

Real Time Monitor Support reference 28665

The CLI command MONITOR FLUSH SA ALL was initially intended for disabling IPSec tunnels

in progress by deleting their security associations (SA). However, since Bird dynamic

routing also uses this type of SA, this command would degrade the Bird configuration and

prevent any connections from being set up. This problem also arises with the “Reinitialize

all tunnels” feature offered in the Real Time Monitor interface.

To resolve this issue, simply restart the Bird service.

Stormshield Network Firewall RELEASE NOTE V1 · Stormshield Network Firewall RELEASE NOTE V1...

Documents

Transcript of Stormshield Network Firewall RELEASE NOTE V1 · Stormshield Network Firewall RELEASE NOTE V1...